Microsoft Windows Update Targets AutoRun Worms

Microsoft continues to take aim at malware abusing the AutoRun feature in Windows—this time placing a fix into the Windows Update channel to prevent exploitation by attackers.

AutoRun is a feature that allows removable media such as USB devices and CDs to launch automatically whenever they are inserted; it is also one of the chief ways worms use to propagate. In response to the problem, in Windows 7, Microsoft changed AutoPlay—the feature that allows users to decide what program starts when removable media is inserted—to end support for AutoRun for non-optical media such as USB drives. That capability was later made available for older versions of Windows through the Microsoft Download Center.

Now, Microsoft is making the "non-security update” available via Windows Server Update Services, which is used by administrators to push updates out to users.

According to the Microsoft Malware Protection Center, Windows XP users were nearly 10 times as likely to get infected by one of these worms in comparison to Windows 7.

“What we know, and talked about in volume 9 of our Security Intelligence Report last fall, is that a lot of malware uses Autorun as one of several propagation mechanisms,” blogged Adam Shostack, a program manager working in Trustworthy Computing for Microsoft. “Because of the very real positive uses of Autorun, we didn't want to simply shut it off without a conversation. On the other hand, we believed action should be taken to shut down the misuse.”

The update still does not impact CDs or DVDs that contain AutoRun files. However, Shostack noted the company has not seen malware taking advantage of that, and malware on CDs or DVDs would likely have less of a widespread impact because people burn CDs less often than they insert USB drives.

Among the malware that abused the AutoRun feature were two of the most highly publicized pieces of malware in history, Conficker and Stuxnet.

“All in all, though, Microsoft has done a good thing here,” blogged Graham Cluley, senior technology consultant at Sophos. “Autorun was never a necessary technology in my point of view, and its exploitation by malware made it a dangerous liability. Locking it in a windowless room, handing it a service revolver and appealing to its sense of decency is probably the best move that we can make.”

Changing system behavior is never a trivial thing, and Microsoft takes it seriously, Shostack wrote.

“It would be a bad outcome for people to think they have to make a tradeoff between security and anything else,” he blogged. “Updates to protect against vulnerabilities are an important part of keeping a system secure. We had to be very confident that this change was the right balance for most people.”